GIV Posted March 13, 2013 Posted March 13, 2013 Armadillo 9.60 unpackme.Protections: CopyMem II plus DebugBlocker and Memory PatchingGoal1: Find the password to run the fileGoal2: Unpack the fileArmadillo 9.60 Unpackme.rar
GIV Posted March 13, 2013 Author Posted March 13, 2013 Here is a second unpackme with all protection options enabled.Armadillo 9.60 unpackme.rar
mrexodia Posted March 13, 2013 Posted March 13, 2013 (edited) Here is a serial (run with REGISTER commandline) First unpackme: GIV 3D2D-2FDC-506C-5FFB Second unpackme: a 414C-60F1-2867-AF48 EDIT: attached dump + fixed relocations + deobfuscated code splices armadillo 9.60 unpackme_dump2_fixed.rar Edited March 13, 2013 by Mr. eXoDia 3
GIV Posted March 14, 2013 Author Posted March 14, 2013 (edited) And the password is? PS1I wait and the first file unpacked. Edited March 14, 2013 by GIV
mrexodia Posted March 14, 2013 Posted March 14, 2013 @giv: no idea, I just bypassed the password protection. first file has problems xD I must research it more (oep is fine, but the program crashes somewhere in vbm800.dl or something) Greetings
Vovan666 Posted March 14, 2013 Posted March 14, 2013 Armadillo 9.60 unpackme #1pass:#EE5125BDunpacked Armadillo 9.60 Unpackme_dump_.rar 1
GIV Posted March 14, 2013 Author Posted March 14, 2013 Armadillo 9.60 unpackme #1 pass:#EE5125BD unpacked Thank you but for me does not work.Problem.rar
GIV Posted March 14, 2013 Author Posted March 14, 2013 @giv: no idea, I just bypassed the password protection. first file has problems xD I must research it more (oep is fine, but the program crashes somewhere in vbm800.dl or something)GreetingsHere is what you should get.First unpackme.rar
mrexodia Posted March 14, 2013 Posted March 14, 2013 @Vovan: nice work, how did you retrieve the password? Greetings
GIV Posted March 14, 2013 Author Posted March 14, 2013 eXoDia The password shown is not the real one.
mrexodia Posted March 14, 2013 Posted March 14, 2013 @GIV: it's accepted by arma, so it's the real one Greetings
converse Posted March 14, 2013 Posted March 14, 2013 @ Mr. eXoDiaYou will be a tutorial on how to unpack the version 9.60?thank
GIV Posted March 15, 2013 Author Posted March 15, 2013 I don't inputed the password like this.I understand that could be valid in hex and Arma can be fooled but my expectation was else.Let's say that is accepted...It remains the first unpackme to be unpacked and fully working.The Vovan666 for me crash.
Solution Vovan666 Posted March 15, 2013 Solution Posted March 15, 2013 Unpackme1 unpacked fix Armadillo 9.60 Unpackme_dump_.rar
converse Posted March 15, 2013 Posted March 15, 2013 (edited) Armaredon easily unpacked unpacked_.rar Edited March 15, 2013 by converse
GIV Posted March 15, 2013 Author Posted March 15, 2013 Is none from what i have inputed but if the app accepts then is ok.
Vovan666 Posted March 15, 2013 Posted March 15, 2013 The original password cannot be restored from crc32
redblkjck Posted March 15, 2013 Posted March 15, 2013 So as long as the password has CRC32 of 11AEDA42, password accepted. I would assume Arma doesn't have a clue what the original passwd is then, only stores the hash and compare. Interesting, thanks. 1
kakamail Posted March 15, 2013 Posted March 15, 2013 nice! really want to know how to have the valid passwords
mrexodia Posted March 15, 2013 Posted March 15, 2013 @kakmail: breakpoint at the CRC function of arma (little tricky to find ) Greetings 1
deepzero Posted March 15, 2013 Posted March 15, 2013 They are seriously using plain CRC to "hash" the pw?
redblkjck Posted March 16, 2013 Posted March 16, 2013 They are seriously using plain CRC to "hash" the pw? Almost. I took a look at another example and it's CRC32 JAMCRCDebug till you are at the password prompt then set BP on USER32.GetWindowTextAEnter your password and it breaks.Follow to the RET back and you are in the security section of Arma code. It will look like this. Look for the second CALL location below and step in. CALL DWORD PTR [929438] ; USER32.GetDlgItem PUSH EAX CALL DWORD PTR [929448] ; USER32.GetWindowTextA LEA ECX, DWORD PTR [EBP-11C] PUSH ECX CALL 008FBB40 ADD ESP, 4 TEST EAX, EAX JE SHORT 008899C8 MOV EDX, DWORD PTR [94EE70] MOV DWORD PTR [EBP-310], EDX LEA EAX, DWORD PTR [EBP-11C] PUSH EAX MOV ECX, DWORD PTR [EBP-310] CALL 008445A0 ; F7 Follow me MOVZX ECX, AL TEST ECX, ECX JNZ 00889A5B ;Flip Z to bypass the password. Scroll down to the RET 4 of that CALL and look for the CMP EAX is the CRC of what you typed in, pointer address is the good hash. MOV ECX, DWORD PTR [EBP-4] ADD ECX, 1 MOV DWORD PTR [EBP-4], ECX MOV EDX, DWORD PTR [EBP-14] MOV EAX, DWORD PTR [EBP-4] XOR ECX, ECX CMP EAX, DWORD PTR [EDX+5A4] ; CMP CRC JAMCRC SETE CL MOV AL, CL MOV ESP, EBP POP EBP RET 4Convert the JAMCRC to CRC32 by XOR. XOR the good password hash with 0xFFFFFFFF. Now you have a CRC32 hash to brute force. There is another CMP to same pointer just above this one, in the example I used it never took that jump. Guess you can set a HWBP on both. 1
mrexodia Posted March 16, 2013 Posted March 16, 2013 (edited) @redblkjck: I knew password protection was easy to bypass (just make the "Enter Password" window return 1) but I thought it was at least md5...This is my code from 2011 to bypass the password protection:HWND password=0;const char* caption="Enter Password";//Loop untill a dialog with the caption pops up...while(password==0){ password=FindWindow(0, caption); Sleep(100);}//Set the return code of the dialog before we end it.SetPropA(password, "_EndDialogRetCode", HANDLE(1));//The actual 'patch' this makes Armadillo think the dialog is ended.SetPropA(password, "_EndDialog", HANDLE(1));EDIT:@Vovan: your unpack doesn't work on win7 unfortunately...Greetings Edited March 16, 2013 by Mr. eXoDia
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now